Netgear patch delay left thousands of routers under attack

A Netgear router vulnerability remained unpatched for months after it was discovered by security researchers, leaving thousands of the devices under active attack.

Researcher have found a vulnerability in Netgear routers
Researcher have found a vulnerability in Netgear routers

Netgear routers have been found to be under active attack despite the exploited vulnerability being disclosed months ago. 

Today it was announced that a fix had finally been released. 

At the end of September, Joe Giron discovered problems with his internet connection. On further inspection, Giron realised that his Netgear router's DNS server address had been changed. Giron had been the victim of an attack.

According to a recent disclosure by Swiss security company, Compass, Netgear routers of the kind that Giron owned were vulnerable to an authentication bypass exploit. 

The attacker can merely access the administration interface of the router and when prompted for a username and password, call the URL http://<ROUTER-IP>/BRS_netgear_success.html . After repeated attempts, the attacker would then gain access to the router's administration interface without the need for any identification details.

Alexandre Herzog, CTO of Compass Security, spoke to SCMagazineUK.com regarding the vulnerability and its implications for normal users: “If you use a vulnerable Netgear router, anyone in your internal network (or anyone on the Internet if you enabled the remote administration option, an option disabled by default) can reconfigure your router at their will,” Herzog said. 

He added that, “The attacker can so gain access to all your network traffic, perform a man-in-the-middle attack or misconfigure the way name resolution is done, via the router's DNS settings. We are aware of reports where victims had their router DNS entries altered. In such an instance, attackers can for example redirect you to phishing sites, inject ads or malware into your browsing experience.”

SC got in touch with Netgear who explained how the vulnerability might be exploited: "The attack can only be launched once the attacker gets on the network by either connecting wirelessly to the network, with a Ethernet connection to the router, or remotely from the Internet if the remote management feature is turned on.  By default, the remote management feature is turned off."

Giron only realised that he had been attacked once Compass released its advisory on the exploit. One of Compass' researchers, Daniel Haake, had discovered the vulnerability in July and privately disclosed it to Netgear. 

Giron told Compass of his problems, and the company downloaded information from one of the attacker's servers and found that over 10,000 other routers had fallen victim to the same attack.

Once Compass informed the Swiss government, the authorities began to shut down the malicious servers. But despite several public and private disclosures from various sources including the Swiss government, security companies and various trade press outlets, Netgear remained quiet on the issue until recently.

Compass, which reported the vulnerability in July, has noted the silence with which Netgear approached the issue. Herzog told SC, “We did not hear back from Netgear since the news broke out. We never had a chance to directly talk to a member of Netgear's security team.”

Netgear released a firmware update to address the issue today. The company told SC that it is "pro-actively notifying registered users via email" of the vulnerability and the firmware update and that "Netgear encourages its customers to ensure WiFi security is turned on and that remote access functionality is turned off".